WatersWorks by John K. Waters

Older Versions Threaten Java Security; Experts Weigh In

Bit9 released a report last week underscoring the ongoing security risk to the enterprise posed by outdated versions of Java still up and running on company machines -- versions of the platform with vanishing support and known and easily exploitable vulnerabilities.

Bit9 sifted its own data on more than a million end points to assemble the report. It found that, among those end points with Java installed, more than 80 percent are currently running Java 6. That version reached the end of public support in April. Though Oracle customers with long-term support contracts continue to receive security updates for Java 6, most of the company's efforts to strengthen security have been focused on Java 7. The Bit9 researchers found that only 15 percent of the endpoints were running Java 7 -- and only 1 percent of those had installed Java 7 update 21 (the latest secure version at the time of the study).

Also, according to the report ("Java Vulnerabilities Report: Write Once, Pwn Anywhere"), 42 percent of the endpoints are running more than one version of Java, and 20 percent are running more than two versions. And 5 percent of the organizations analyzed had 100 or more distinct Java versions installed in their environments.

Why are so many endpoints running multiple versions of Java? Because the Java installation and update process often does not remove the older, vulnerable versions, observed Bit9 CTO Harry Sverdlove.

"IT administrators have essentially been lied to for 15 years," Sverdlove said in a video posted with the report. "They have been told that to protect themselves from the latest security vulnerabilities they should apply updates and apply them frequently. But for many years applying updates to Java left the older versions still present...Attackers are able to use those older versions."

Jerome Segura, senior security researcher at anti-malware solutions provider Malwarebytes, agrees. "Oracle advises its users to remove old versions [of Java], but does not automatically do it for various reasons," Segura said. "In some enterprises, old Java versions are required for backwards compatibility."

"Remember the saying 'never change a running system'?" said Sorin Mustaca, product manager and IT security expert at German security solutions provider Avira. "That's exactly what is happening out there. Ten or fifteen years ago, when many of those applications were written, there was no danger of hackers [doing] pen-testing on them with the only purpose of discovering vulnerabilities that can get exploited. Now we have this danger and Oracle sees itself in front of a big problem, which has many faces."

But even organizations running the latest version of Java are often not on top of their updates. In March, Websense published a report on its investigation of active Java versions running on tens of millions of endpoints. It found that 93 percent of users had not patched to the most recent version of Java. Like Bit9, the Websense researchers also found that enterprises have been slow to apply Java 7 update 21.

"This is not a new issue, of course," said Julien Sobrier, senior security researcher at Zscaler. "Java is an old technology and it has been running on many devices for many years. It's has always been a struggle to keep it up to date."

It may not be a new problem, but it is a serious one, said Brian Gorenc, manager of vulnerability research in Hewlett-Packard's Security Research organization. Gorenc runs the Zero Day Initiative, the world's largest vendor-agnostic bug bounty program.

"Those older versions of Java can have a lot of security flaws, which are actively targeted by attackers" Gorenc said. "You see it in the advanced exploits. They're verifying which versions of Java are running, and then targeting the older versions if they're installed. A company might think they're doing the right thing by updating their Java installations, but in reality they still have versions of Java 6 out there running on older patch levels, which means they still have the attack surface from Java 6."

Creators of exploit kits, which are marketed and sold to malicious hackers, regard older Java bugs as highly valuable, Gorenc said, and are still used to compromise machines.

"The best advice here is nothing new," Gorenc added. "Organizations need to know what software is running on their systems, what attack surface that software exposes, and how to use risk-management tools to properly address the reality of their situation."